Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

narramissic writes "Lenovo plans to announce on Tuesday a service that allows users to remotely disable a PC by sending a text message. A user can send the command from a specified cell phone number — each ThinkPad can be paired with up to 10 cell phones — to kill a PC. The software will be available free from Lenovo's Web site. It will also be available on certain ThinkPad notebooks equipped with mobile broadband starting in the first half of 2009. 'You steal my PC and ... if I can deliver a signal to that PC that turns it off, hey, I'm good now,' said Stacy Cannady, product manager of security at Lenovo. 'The limitation here is that you have to have a WAN card in the PC and you must be paying a data plan for it,' Cannady added."

IF the person who stole your laptop knows their way around a computer, sure. But the average person still is barely capable of navigating MySpace. If they press the power button, and it does not log on, it is going to be useless to them.

And then like any good thief they'll go and throw out or use your laptop for target practice. I think laptop LoJack for Laptop would probably be a better service if they're going through the trouble of putting a WAN card in and what not.

I saw that when hackaday originally wrote it up and was curiously intrigued, let's put it that way. Their setup seems to be lit off by hand rather than remotely. (It just says they used sparklers to light it.) It'd be nice if it were A: automated, so it could be triggered by a remote alarm system, and B: pretty foolproof. Were I to do this, one thing I'd consider is using an external hard drive, or at least a bank of relays on the power to the system, that cut out when the thermite dumps, so you wouldn'

An Estes igniter probably couldn't do it unless you dipped it in extra pyrogen. A Daveyfire electric match, on the other hand would probably be able to do it, though... they're used to ignite AP composite motors in high power rockets. Or, you could use the exhaust from a small (say a D or an E) AP motor... it has the benefit of lasting a lot longer than the match would, and doesn't need a LEP to get a hold of (Daveyfires are also used to ignite pyrotechnic displays, and other low-explosives, so IIRC, you ne

it is precisely because you are using disk encryption that you need a feature like this to complement it. Disk encryption only works to lock people out when you need to boot. That means if a computer is on because you entered the password at boot time, disk encryption doesn't do anything to protect your data. By forcing it to shutdown using text message, you just made sure others cannot start it without knowing your pass phrase.

This is not about data protection. It is about making the device unusable. Just like you can block your phone when it is stolen.

It will not stop thiefs of stealing your device. It will not protect your data. As far as I read it does not even claim to do that.

So, all the talk about how this forces the drive encryption to activate by requiring a shutdown rather than a suspend/hibernate wasn't about protecting data?

from TFA:

Since hard disk drive encryption will not work properly if the PC is running or in hibernation mode, this disable feature ensures that the data is secure by shutting the machine down and allowing the hard disk drive encryption to work. If and when the ThinkPad laptop is recovered, the user can restore the notebook, its settings and the data contained on the PC by entering a password.

Having been in this position, the thing that bother me is not the material loss of the laptop (though It would be nice to know they stole junk) but the data contained on it. So long as your drive is encrypted, then this thing is a bonus

While it may be some comfort that ones encrypted data gets to stay secret, and this might be enough for many, I'm on the side of the fence where I'd want to tasar the theif, in the neck, in the guts, in the arm pits, in the groin, in the mouth, and so on and so forth. Even if it is just a crappy old work laptop.

Maybe there's some way to rig it up so that the phone call can activate a bit of a hot power button, push it and it triggers the zapping goodness.

The vast majority of thieves aren't even going to realise that this service is enabled. They certainly won't be deploying GPS jammers or reflashing the BIOS or opening the laptop up. And TFA article mentions that the whole point is to protect data by allowing users to shutdown access to an encrypted HDD that might still be open.

Thieves typically dont have the IQ to do any of that. When I was robbed, we nailed the thief not only from the video cameras that he looked right at to give us a awesome face shot, but he stole my daughters cellphone. He left it on all the time reporting his position. The cops had his ass in less than 24 hours.

Honestly thieves barely know how to use a screwdriver outside of prying a door or window with it. You seriously think one would do the delicate task of opening a laptop or flashing the bios? That's plain old funny.

Remember, there are two kinds of thieves. There are amateurs and there are pros.

Amateurs are desperate people, usually because of an addiction of some sort, who steal whenever an opportunity presents itself. They see a car with an unlocked door, or an open window and they act. These people are the most common type of thieves, and will be caught with this technology.

Professionals steal things for a living. They are very calculated and know all of the security measures people use, and how to avoid them. This technology will not stop a professional. In fact, nothing will stop a professional. Professionals are why you buy insurance.

Fortunately, there aren't many professional thieves. When you think about it, it's very difficult to become a professional thief. This is because a pro cannot be desperate. They need to have time to study their target and come up with a plan of attack. This requires a person with a certain personality, that doesn't steal out of last resort, but steals for some other reason. There aren't many people like this in the world, and most of them are caught before they become very good at stealing.

They need to have time to study their target and come up with a plan of attack.

Time means living expenses. That means a job, unless you're independently wealthy.

This means that to try once and fail, and then be able to try again, you have to:

- not be identified in your first attempt; or- escape the force of law [including extradition laws]- do the jail time

Escaping the force of law probably makes it untenable to have a job, so that one is only available to people who are independently wealthy. Doing the time means the rate of professional theft gets lowered by a huge bit.

This technology will not stop a professional. In fact, nothing will stop a professional.

Professional? Who pray tell defines a professional thief?

Is there a guild? A union?

Have you ever met one in person and he showed you his business card?

And then... If such a person was so intelligent and so skilled, would he be so interested to go after your laptop for a few paltry hundred dollars? He's going after bulk shipments or valuables worth thousands. If he is smart, he is going after something that is worth his j

Exactly. Smart thieves perform a thorough risk/reward calculation and a lot of planning before they go for target. They are near impossible to catch.

I, for one, regularly steal rolls of toilet paper from work.I'll never get caught because I put a lot of forethought into each coup and perfectionized my strategy over years. I only lift one roll at a time so it doesn't get noticed and so I can at any time pretend to be just carrying it around because I need to "clean my desk or something". Plus, I always drop the roll into my bag while sitting at my desk and without looking down. Eyes must be focussed on screen, innocent facial expression - nobody would ever notice from a distance that I'm performing a felony under the table in just that moment!

Bare the occassional accident (when I miss the bag and have to crawl under the table to recover the loot) I think I can safely claim that the perfect crime is possible and I have mastered it.

How exactly are they disabling the laptop? It can't be something superficial but with the amount of time a program has to work it probably has to be superficial to work. Will a program have enough time to do anything more then clear the cmos or erase the drive mbr? Even if it's a hardware disable the whole thing becomes parts worthy and the data on the hard drive essentially remains in it's entirety.

The shutdown is supposed to be utilised with hard disk encryption - the whole point is that your data is better protected. The disabling is carried out by the BIOS; presumably it checks the disable bit before booting the OS and allows the legal user to enter a recovery password.

what makes you think they wouldn't just put the dead laptop itself on eBay? They claim it is "recently untested but worked a while ago" and some sucker buys it. I mean we're not talking about honest people here are we?

My normal Slashdot cynicism wants to find a problem with this technology, but I can't so far, other than that a smart thief would just make sure to remove the WAN card and flash the BIOS (possibly with a new serial number or the remote disable, uh, disabled).

I don't put too much stock into the thinking of people who would steal laptops like this. If the fix was something simple, like a software disable that depended on the OS, I'd say the technology was useless. But until someone comes up with this new BIOS with the appropriate section disabled, I'd say it's still a pretty decent technology.

The article is pretty slim on how this is actually going to work. Do I assume that I make the phone call once and Lenovo will constantly try to connect with it until it is successful? If not, how many times do I call it until I cut off my data plan?

I would like to be able to turn this off in the future when attempting to sell the laptop as well.

It looks like the disable is handled in the BIOS, so either the GPS hardware is capable of receiving SMS texts while the laptop is hibernating, or the text is received when the BIOS boots up. Either way, you just have to send one text - your cell network provider will store and forward it to the receiver, it's just a regular text.

I think someone has thought of the same basic concept before [bash.org]. Personally I wouldn't want to have a bomb ready to go off at any time on my lap, the C4 is relatively stable but the detonator really isn't and would have to be in place. A spark, a battery on fire and boom goes you. The collateral damage could be pretty nasty too, even if the charge is small. If you want the James Bond solution, I'd go with poisonous darts on the front, open it up and you get a nasty surprise. That way you can carry an antidote

Yes, it'll probably be as secure as the Lenovo BIOS supervisor passwords.

(Hint: Supervisor password? Get a paperclip. The data pin goes to ground, boot laptop. Enter bios. Remove paperclip, set [new] supervisor password. It overwrites the old one. Which chip to mess with and which pins are which I leave to you and Google. Shouldn't take long.)

(The phone rings.)Frink: Lab.Homer's Message: Greetings, friend. Do you wish to look as happy as me?...Frink: Why it's the AT-5000 Auto-Dialer! My very first patent. Aw, would you listen to the gibberish they've got you saying, it's sad and alarming. You were designed to alert schoolchildren about snow days and such! Well, let's get you home to Frinky. Hope your wheels still work, bw-hey.(Frink dials a code into the phone, and the AT-5000 grows legs with wheels and attempts to escape.)Homer: Oh no, you don

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug? I know it'll be a pain for the thief but what about me?
What a craptacular idea. Having my laptop become my personal GSM tracking device. Where have I been? Wait lets ask my "anti theft"-device.

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug?

Better put on your tinfoil hat - here's something you don't know: the cellular network knows where devices on the cellular network are and which cellular towers the devices are talking to. That is how the cellular network knows to send your phone calls to your phone.

I am sure that if the government wanted to track you, they would use your cell phone which is on GSM/CDMA network nearly-100% of the time, or iPhone which has the added flexibility of GPS. If you are the type of person to care about you being tracked here or there, than don't purchase a Lenovo laptop with this feature.

However what all the tin-foil crowd seems to forget is one fact: No one cares about 99.999% of you to date you, much less follow your every movement. Especially a Chinese laptop manufacturer

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug? I know it'll be a pain for the thief but what about me? What a craptacular idea.

Yes, because this kind of enterprise-level hardware management feature is targeted at you, the loner Slashdot basement dweller...

Seems to be some kind of revenge system."hey you stole my laptop, so now I've made it useless"This doesn't prevent theft and because it's not likely to be the default behaviour of the laptop it doesn't even discourage theft.

Yeah, malice towards the 'thief' really pisses me off. I can understand businesses wanting to protect their private information (which they can accomplish with encryption), but this idea of "If I can't have it then no one can" is just ridiculous.

I've had things stolen from me, nice expensive things, but my reaction was never once anger, never feeling I need to chase down the thief and kick their asses. It was, "Oh well, tough shit, life goes on and I hope they do something meaningful with what they took."

Just because that thing gets ripped off and sold to someone else, someone somewhere might make good use of it. It might just be someone's child they wanted to get a decent present for their birthday and for all they knew that the person they bought it from had never stolen it.

It's a waste, trying to catch the thief is one thing, destroying it so it's no good for anyone is just plain selfish and it proves who the real monster is.

The network card is not the only thing that is wrong with this, the fact that you now turned off the machine, states the machine will not turn back on...to give you a location of where it is.Someone will open it up...change the network card with another...or just add a usb one...and there you go...problem solved.

This feature doesn't seem to be aimed at stopping blackhats or organized criminals, two of the more "intelligent" varieties. No, this thing is meant to royally screw Joe Crackhead.

The feature doesn't appear as if it's ever going to stop a sophisticated high-tech criminal, naturally. Nor does this seem the intent. Identity thieves and data miners don't even need possession of the laptop, so no good there. Even then, the new feature is easily defeated. Organized criminals tend to know what they're doing as well, and any safety measure can be defeated by competence and planning. Still, they're both rare enough.

No, this sounds perfect for the two-bit junkie, the most common of criminals. Brick the laptop, especially remotely, and suddenly it's worthless for him to offload for his fix.

This is exactly what we need in terms of laptop security. To you nay-sayers out there spinning doom and gloom scenarios about friends pranking your laptop with text messages, I can only assume that there is some secret passcode that you must send as part of the text-message to disable the machine. In fact, it should be convoluted, and hard to remember. Fortunately, as the proud owner of a brand-new Lenovo laptop, you can keep information like that stored right on the laptop, which you take everywhere.

This is a decent idea in theory as a simple theft deterrent, but it makes me ask two questions:

Does this allow my laptop tracked in any way? Probably if you know what you're doing.

Can this connection do anything besides receiving a kill command? I'm skeptical.

Another question you have to ask is how fast and how completely word will spread about this feature on Lenovo laptops. That's what its success depends on. If a potential thief doesn't know about the feature and steals your laptop, he's not going t

How about setting up a simple script that periodically polls a remote site - say a web page under your control? If it can't reach it, or it reaches it and gets a default response, no action's taken. If on the other hand the page returns an innocuous looking kill code, a small program is run that disables the BIOS? On the server side, you'd be mailed the IP your stolen laptop connected from, which might give you some location info.

Any time you provide a tool like this, it has the potentiall to be used against the owner as well, especially if someone else with access to the equipment understands the tool better than the owner does.

I can see several scenarios, some more plausible than others where another party might be inclined to use it to lock the owner out of access to his own data.

Yes if the other party has access to the machine, they can always cripple it by other means but the beauty of this is that it can be used even after that party apparently no longer has access.

That SMS text messages are completely unforgeable and also ultra ultra reliable in delivery. I am sure that the thief will also be so kind as to send a reply back to let you know it was received correctly so you will know it was not garbled or dropped in transit. And nobody would ever dream of hacking or moding a cell phone for spoofing, or even think of installing software on your phone would they? That kind of thing just could never happen these days. </sarcasm>

Sprint offers a similar service with some of their WAN cards. The difference is that the Sprint card acts as a key to full-drive crypto. No card, no data. If the card is remotely disabled, no data. Really seems like a great way to lock down your laptops containing sensitive info.

Where does it say the trigger is in the OS? It would make less sense to do it that way, since you'd have to write a new driver for each OS. Since TFA says "Phoenix Technologies, developed this security feature and embedded the technology within the notebookâ(TM)s BIOS" I would assume that means it is OS independent.

Why do you think the BIOS would hog the wireless 100% of the time? The architecture would obviously be interrupt driven - the BIOS doesn't hog any other piece of hardware whilst waiting for

If you think Phoenix is that smart, well I have a bunch of bridges to sell you.

This isn't the first security gimmick they've deployed. They've had the internet version of this sort of thing for years now (Computrace / Lojack). It's a software client that runs in the taskbar, Windows-only, that triggers the BIOS kill bit.

I wouldn't be surprised if this "new" cell-based feature were just a new client app working with the same kill bit as the old ones. That makes it easier to develop and deploy, since it wo

Of course it requires the use of a cellular network. That means that if the would-be thief really wants to steal your notebook with data intact, all he or she needs to do is either A) pull out the cellular card or B) if the cellular card is built-in, encase the laptop in a carefully-crafted metal box to designed to block the cell signal.

Either way, it's only a deterrent to people who don't know what they're doing.

It isn't quite that simple on a ThinkPad [sodoityourself.com] - the BIOS password is tied in to the TPM chip. And I really doubt your average thief is going to be building custom hardware and soldering it to the laptop mainboard...

A remotely accessible killswitch that could be fired even against the legitimate owner's consent... hey, isn't that exactly what Orrin Hatch has been requesting that the Righteous Inquisition Army of Autocrats be able to do to file sharers a few years back???

I think the best idea is to start tracking the laptop. Send out GPS coordinates, send out IP addresses, send out _fingerprints_, take screen shots, etc.

If it has a webcam, add mugshot. Compare the image on a local mugshot database, get some likely culprits and their last known address. Then maybe automate the search warrant, police report, and insurance claims process and you've got a real solution. Of course, the search warrant part is now optional, I believe.

Obviously you spent a lot more time thinking about this then I did, but you've got the right idea.

My laptop rarely leaves my desk, and if it does I'm pretty damn attentive to keeping possession of it (Oh, and it doesnt have any cellular wireless connectivity anyway, just plain wifi, which isn't set to activate automatically, because I'm normally on a wired link.), so my post was more about the concept, and also the fact that there are so many special paid-for 'services' that are absolutely irrelevant to som